The Federal Bureau of Investigation (FBI), Department of Defence (DoD) of the United States, and Cybersecurity and Infrastructure Security Agency (CISA) have jointly revealed about three malware variants, allegedly crafted and getting operated by state-sponsored hackers from North Korea called Hidden Cobra. Significantly, the three US government agencies have already revealed about eight more species of malware in the first quarter of 2020.
Hidden Cobra aka Lazarus
Alongside the announcement, the three individual malware analysis reports (MaRs) have also detailed how the Hidden Cobra APT group is playing from the front to hunt down the targets. US officials have already confirmed that the Hidden Cobra Advanced Persistent Threat (APT) group has links with the North Korean government.
The Hidden Cobra APT group has developed and executed the Wannacry mayhem and are known by other monikers such as Lazarus, Guardians of Peace, Zinc, to name a few. The Hidden Cobra APT group's name has also referenced to many cyber heists by victimising financial institutions such as banks, cryptocurrency exchanges and ATMs.
The latest malware
The latest three malware analysis report from the Cybersecurity & Infrastructure Security Agency's (CISA) Cyber Command has mentioned three new variants dubbed Copperhedge, Taintedscribe, and Pebbledash. These MAR reports have also indicated it clear that all three malware variants are used by the North Korean state-sponsored hackers.
Copperhedge- The Cyber Command analysis claims Coperhedge as a Remote Access Tool (RAT) and that it belongs to the Manuscrypt malware family. The Manuscrypt malware family gets actively distributed by Lazarus and target cryptocurrency exchanges. The manuscrypt family of RATs are capable of running arbitrary commands, performing system surveillance, and exfiltrate data. So far, six variants of Manuscrypt RAT malware has come into the light.
Taintedscribe- According to the MAR report by Cyber Command, the newly discovered Trojan TaintedScribe gets installed on a victimised system to receive and execute the attackers command remotely. The Trojan masquerades itself as Microsoft Narrator and manipulates FakeTLS for session authentication and for network encryption utilising a Linear Feedback Shift Register (LFSR) algorithm.
Pebbledash- This Trojan is capable of downloading, uploading, deleting, and execute files. CISA explains the Trojan could also enable Windows CLI access, create and terminate processes, and perform target system enumeration.
The Cyber Command has also rolled out the malware instances to the VirusTotal site to encourage the private and public sectors to deploy solutions to combat with these state-sponsored tools.